VDB
KO
MEDIUM 6.5

GHSA-q855-8rh5-jfgq

ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path

Details

### Summary

In add-on mode, the ha-mcp settings UI routes are mounted both under the MCP secret path **and** at the bare root of the published port (`:9583`), so Home Assistant ingress can serve the "Open Web UI" button. The root-mounted routes perform no authentication — no secret, no `Origin` check, no CSRF token — so any client that can reach `:9583` without the MCP secret can invoke them.

### Affected configurations

Home Assistant **add-on** installations (`host_network: true` with port `9583` published), v7.6.0 and earlier. Docker and standalone installs are **not** affected — there the settings routes are mounted only under the secret path.

Root-mounted routes in affected versions: tool visibility (`/api/settings/tools` GET/POST), feature flags (`/api/settings/features` GET/POST), the auto-backup suite (`/api/settings/backups…` incl. restore/delete, and `/api/settings/backup-config`), add-on restart (`/api/settings/restart`), and — when the opt-in Tool Security Policies feature is enabled — the approval-policy API (`/api/policy/config` GET/PUT, `/api/policy/approve`, `/api/policy/deny`, …).

### Impact

Without authentication, a caller that reaches `:9583` — a peer on the local network, a reverse proxy/tunnel that forwards the bare root path (e.g. a whole-host Cloudflared config), or a CSRF `POST` from a page open in a LAN browser — can read or change which MCP tools are exposed, toggle feature flags, list/view/restore/delete backups, restart the add-on, and (with Tool Security Policies enabled) read and rewrite the approval policy, disabling the human-approval gate on gated tools.

There is **no** access to Home Assistant data, entities, or credentials, and no code execution. All effects are confined to the add-on's own configuration and lifecycle and are recoverable. The primary (same-LAN) vector is within the add-on's documented trusted-network model; remote reachability requires the operator to have reverse-proxied the bare port.

### Proof of concept

With the add-on running and reachable on `:9583`, from any host that can reach the port without the secret:

``` GET /api/settings/tools -> 200 (read tool config, no auth) POST /api/settings/tools {"states":{}} -> 200 (rewrite tool config, no auth / no CSRF token) POST /api/settings/restart -> 200 (restart the add-on) ```

The MCP endpoint itself remains correctly protected by the secret path.

### Patch

Fixed in PR homeassistant-ai/ha-mcp#1508 (merged to `master`): the root-mounted add-on routes are restricted to Home Assistant ingress, which always originates from the Supervisor (`172.30.32.2`); every other caller receives `403`. Direct and remote access continue to use the settings UI under the MCP secret path (`…/<secret>/settings`), so the "Open Web UI" button, Cloudflared, and the Webhook Proxy add-on are unaffected.

The fix will ship in the next stable add-on release. If you'd rather have it now, it is already on the dev channel (add-on dev build ` 7.6.0.dev393` or later) — optional; there's no need to switch channels just for this, it is a fairly low risk surface and only exposes the web UI for addon mode only.

### Severity

`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L` = 6.4 (Moderate). Confidentiality impact is None — tool config and backups are not secrets or credentials; integrity and availability impacts are Low — configuration changes and an add-on restart are recoverable.

### Credit

Reported by @bharat.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ha-mcp
Introduced in: 0 Fixed in: 7.10.0
Fix pip install --upgrade 'ha-mcp>=7.10.0'

References